How to Create Security for Your Own WordPress Plugin

One of the benefits of WordPress is its flexibility and the ease with which you can modify it. The open source environment offers many opportunities for new or experienced developers to create solutions to issues and invent creative fixes for common problems.

However, it also creates easy opportunities for people to look for security holes in existing source code. This tutorial will describe how to create security for your WordPress plugin to spot and repair areas that are vulnerable.

Creating a WordPress plugin is fairly simple. All you need is a rudimentary knowledge of PHP coding and a basic understanding of the WordPress administrative panel and file structure. It doesn't hurt to be familiar with MySQL syntax either.

Once you have created and tested your plugin, you can keep it for your own use, or you can register your plugin and make it available for others. These guidelines will give you a basic foundation for creating a WP security plugin.

How to Get Started

The first thing you need to do before you create your security plugin is to find an original file name for it. The file name should have have the following characteristics:

It should have a name that is identifiable to the plugin's function.

It should be unique.

The name can have multiple words in it. To check for the uniqueness of your plugin name, search the repository of existing WordPress plugins. Performing a web search wouldn't hurt either, especially if you plan to distribute your plugin.

For example: secureme.php

Next you must create a PHP file for your plugin. This is essential in order for WordPress to process your file. When you activate your plugin, it is the name of your plugin's php file that you will look for in the admin panel.

This is the base code for the PHP header for a plugin. It tells the WordPress management system that the plugin is in existence and to activate, load, and run it. Without this information, your plugin won't work:

You should include licensing information stating that the plugin is licensed by WordPress or that it is compatible with WordPress GPL2 licensing. This is a standard template for that information:

<?php
/* Copyright YEAR PLUGIN_AUTHOR_NAME (email : PLUGIN AUTHOR EMAIL)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, version 2, as
published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
?>

Creating Your Security Plugin

Hooks, Filters, And Actions

Now that you have finished the preliminaries, its time to create the plugin itself. You will need to add hooks to tie your plugin to specific WordPress events. Hooks are necessary to override any WordPress default functions that run counter to the current functions of your plugin. WP runs systematic checks to see if any plugin functions are scheduled to run at a given time, and if so, those are the functions that are run.

There are two different types of hooks, filter hooks and action hooks. An action hook enables modification of onscreen data or data that is stored in databases. This includes adding or removing headers and footers and similar actions using the function wp_generator.

Some examples of action hooks are:

init

get_header

create_category

A filter is a hook that is triggered before rendering text or sending data. For instance a the_content filter hook could be activated by a filter called change_capital_T to look for and alter any instances where the text indicated needs to be changed from a lower-case to a capital 'T'.

To view how to register filters and actions and find available WP hooks, you can go to the WordPress API page and learn more.

Functions

You will want to create a style sheet so that you can add CSS files to your WordPress page safely, and a menu to enable the user to open the plugin. Since this is a security plugin, only the page administrator should have access to it.

Metaboxes

You should add a couple of metaboxes that will display information for the server or system and to run a basic security check. The other metabox is meant to limit access to your admin panel and block access to all but admin-defined IP addresses. A metabox will provide a consistent appearance with WP admin themes.

To limit IP access, simply create an .htaccess file to add your wp_admin directory that blocks out any IP addresses not approved by the administrator.

Creating Main Plugin Functions

Keeping things separate and organized makes it easier to navigate, so it helps to create a sub-directory in your secureme.php directory to store your main plugin functions. These functions will allow you to run checks for security holes and lapses, which is what your plugin is all about.

1. This will initialize and show MySQL version and information, and run a check to make sure php is in safe mode in order to avoid conflicts with other plugins and functions:

Testing and Debugging

The final step in the process is to run your plugin and fix any errors. You can add define('WP_DEBUG', true) to the wp-config.php file, or use this debugging code:

/**
* This will log all errors notices and warnings to a file called
* debug.log in wp-content only when WP_DEBUG is true
*/
define('WP_DEBUG', true); // false
if (WP_DEBUG) {
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
@ini_set('display_errors',0);
}

Fix each error that is found separately, and then continue to run debug until they have all been fixed.

Plugin Development Best Practices And Tips

Don't overload databases and serves with heavy code. Use only what you need and keep it light, tight, and efficient.

Before you begin creating your plugin, run a search for similar plugins, and strive to create something that is different than what's already out there.

Proper planning and organization are a must. A plugin is only as good as the attention that went into creating it.

When coding your plugin, you should create a prefix; this could be the name of your company, your initials, or anything else that distinguishes your plugin as yours and separates your code from pre-defined WordPress functions, other plugins, and WP themes. In our sample security plug, this would be laur_secureme.php.

More Resources

Conclusion

The information in this tutorial will give you the basics for creating a plugin securely. If you have any problems, there is a whole community of forums available where you can find answers, exchange ideas and tips, and meet other developers.

WordPress is a good place to start; you can find tips and news on the latest updates, features, and fixes for any issues you might encounter.

How do you enhance your security in your WordPress Plugin? Please share with us in the comments below.

Opinions expressed in this article are those of the author and not necessarily those of Onextrapixel.

Terrance is a versatile web developer and the technical editor at OXP. He enjoys creating functional websites and is particularly engrossed in all the tiny details mixed together to construct great user experiences. He always believe that every web user deserves the best!